The security of computer resources has many diverse aspects. The facet of security of concern herein is controlling the use of computer resources. By computer resources we shall mean throughout both computer hardware operated by means of program instructions (e.g., central processing unit, storage disc and peripheral device) and computer software that comprises said program instructions (e.g., executable computer program, linkable object library and programming language source code). A method and system to control the use of a computer resource provides the means to describe, implement and enforce policies regarding where, when, why, how, and by whom the computer resource may be used.
Controlling the use of computer resources provides benefits to both the entity providing the computer resources and the entity using the computer resources. The entity providing the computer resources can, for example, rely on methods and systems for controlling use of the computer resources to insure that the computer resources are used in the proper place, at the proper time, in the proper way and by the proper user. On the other hand, the entity using computer resources can, for example, rely on methods and systems for controlling use computer resources to insure that the computer resources are fit-for-purpose, are in working condition, are the latest versions and are genuine and unaltered.
A necessary component of methods and systems for controlling the use of computer resources is the reliable and unambiguous identification of individual computer resources. For example, to implement the policy that a particular program must only be used on a particular computer, it is necessary to be able uniquely identify both the individual program and the individual computer.
An individual computer resource can be provided with a unique identification by binding it to a uniquely identified physical object. The metallic serial number tag on the back of a computer chassis is an example of identifying an individual computer resource by binding it to a uniquely identified physical object. The product identification sticker on the jewel case or shrink-wrap containing an individual computer program is another example of identifying an individual computer resource by binding it to a uniquely identified physical object.
In order to be reliable and unambiguous, the identification of individual computer resources must be provided in a way that cannot be subverted, modified, sabotaged, tampered, altered, cloned, copied, or in any other way, means or manner undermined by parties seeking to violate the control of the computer resource. Examples of acts to be rendered as practically impossible include, but are by no means limited to, removing the identification of an individual computer resource (“anonymizing”), changing the identification of an individual computer resource to the identity of a second computer resource (“spoofing”), and creating a second computer resource with the same identification as an existing computer resource (“cloning”).
Both of the examples of computer resource identification through binding to a uniquely identified physical object above, the serial number tag and the product identification sticker, are subject to all three of these attacks. Both the serial number tag and the product identification sticker can be removed (“anonymizing”), attached to alternative computer resources (“spoofing”), and duplicated (“cloning”).
These attacks and others mounted on the identification of an individual computer resource through binding to a uniquely identified physical object are mounted on the uniquely identified physical object as well as the binding of the uniquely identified physical object to the individual computer resource. Therefore, both the nature of the uniquely identified physical object and the nature of its binding to the individual computer resource must be considered when assessing the suitability and security of means for providing an individual computer resource with a unique identification through binding to an uniquely identified physical object.
There are in the current art methods and systems for the identification of an individual computer resource through binding to a uniquely identified physical object. In order to counter attacks on the binding of the computer resource to the uniquely identified physical object in this case, means are provided such that the individual computer resource operates correctly if and only if the binding to the uniquely identified physical object is intact. A physical device employed as the uniquely identified physical object in the identification of an individual computer resource is designated as a physical signature device because the successful use of the individual computer resource implies the presence of the physical signature device and thus the physical signature device can be said to sign for and consequently authorize the use of the individual computer resource.
A familiar and widely used example of binding a software computer resource to a physical signature device is described and claimed in U.S. Pat. No. 4,599,489 (Solid state key for controlling access to computer software). Such a device is often referred to as a “dongle”. An executable program software computer resource that is bound to an individual dongle will operate correctly if and only if it is currently connected to that individual dongle. In other words, the dongle is a physical signature device.
Physical signature devices are of two kinds: digital and analog. The dongle is an example of a digital physical signature device. It stores a particular identification number in digital circuitry and provides this identification number in digital form to the executable program on demand, typically through the serial, parallel or USB port on the computer on which the executable program is being used. When the executable program is placed into execution, the executable program checks for the presence of an individual dongle on the communication port and only continues to execute if the individual dongle is found to be present on the communication port.
As another example of a digital physical signature device is the trusted computing platform. An example of this technique is described and claimed in U.S. Pat. No. 6,327,652 (Loading and identifying a digital rights management operating system). When an executable program is placed into execution on an individual trusted computing platform, the executable program performs a cryptographic protocol to verify the authenticity of the credentials of the individual trusted computing platform. If the credentials of authenticity not present or are not in order then the executable program does not continue execution.
A shortcoming of methods and systems based on digital physical signature devices such as the dongle and the trusted computing platform is that explicit instruction sequences must be included in and executed by the executable program to interact with the digital physical signature device. These instruction sequences in the executable program, however, can be excised from or bypassed without affecting the functionality of the computer resource. In this way, a version of the computer resource is created that can used successfully without requiring the presence of the digital physical signature device (“anonymizing”).
Another shortcoming of methods and systems that use digital physical signature devices such as the dongle and the trusted computing platform is that additional means must be provided to make it difficult to fabricate duplicate copies of the digital physical signature devices (“cloning”) and to ensure that the unique identification provided by the digital physical signature device cannot be altered (“spoofing”). Providing these means adds expense to the production of both the computer resource and the uniquely identified physical object used for its identification and control of its use.
Another shortcoming of methods and systems that use digital physical signature devices such as the dongle and the trusted computing platform is that few precautions are taken to prevent intrusive physical investigation and analysis (“tamper-resistance”) and intrusive physical investigations and analyses may be performed without leaving any indications that an intrusion has been made or attempted (“tamper-evidence”).
Another method and system available in the current art to control the use of a computer resource using a digital physical signature device is based on encryption of the instructions for operating the computer resource and execution of the encrypted instructions inside a special-purpose processor that is operative to decrypt the instructions as they are used to operate the computer resource. An example of this technique for an executable program software computer resource is described and claimed in U.S. Pat. No. 5,123,045 (Comprehensive software protection system). The executable program and the data to which it is being applied are stored in an encrypted form in an uncontrolled computer memory. The uncontrolled computer memory is connected to a controlled central processing unit that is contained in a sealed, tamper-resistant enclosure. The controlled central processing unit retrieves the encrypted instructions and data from the uncontrolled computer memory, decrypts the instructions and data once they are inside the controlled central processing unit, encrypts the results of applying the decrypted instructions to the decrypted data, and places the encrypted results back in the uncontrolled memory.
One shortcoming of this method and system is that it requires a special-purpose computer in a secure enclosure, which adds expense to the production of both the computer resource and the uniquely identified physical object used for its identification. Another shortcoming of this method and system is that the computer resource operates more slowly than it is capable of operating due to the necessity to continuously decrypt the instructions and the data with and on which it operates and to continuously encrypt the results of applying the decrypted instructions to the decrypted data. Another shortcoming of this method and system is that is not readily applied to computer resources other than executable program software computer resources.
A need exists, therefore, to provide a low-cost physical signature device and a method and system for binding said low-cost physical signature device to computer resources for the purpose of controlling the use of computer resources that does not exhibit the above-mentioned shortcomings of the current art. Such a physical signature device should provide a unique indicium (“signature”). Such as physical signature device should be difficult to alter or duplicate. Such a physical signature device should be easily and yet tightly, securely and irrevocably bound to a computer resource. Such a physical signature device should be tamper-resistant and tamper-evident. Such a physical signature device should be able to be used with many different kinds of hardware and software computer resources. The security provided by such a physical signature device should not be based exclusively on instructions for the purpose of interacting with the device. Nor should such a physical signature device require the encryption/decryption of the operating instructions for the computer resource or the use of a special purpose central processing unit.